Security policies proliferate in wake of data thefts

Related Links

As reports of data being compromised in agencies’ information technology systems mount, policy-makers are responding with efforts to clamp down. Recent cases involving the Department of Veterans Affairs, the Energy Department and the Navy that have exposed personal data, including Social Security numbers, have raised fears of identity theft.

The Office of Management and Budget issued a memorandum July 12 detailing the steps agencies should follow to report security incidents. Rep. Tom Davis (R-Va.) introduced a bill also calling for a mandatory reporting process, while DOE issued

a final rule that had been under development for more than a year outlining the mandatory process to gain access to agency computers.

The security incident at DOE happened more than a year before word of it came out in June.

The National Nuclear Security Administration was the target of the attack and the source of the new rule, which will become effective agencywide Aug. 18. The main feature of the rule is that DOE employees and contractors must acknowledge in writing that authorized investigative agencies can access the computers they used during the time of their employment and for as long as three years after they leave.

The rule states that members of the public who interact with DOE computers, even through simply sending an e-mail message to the agency, can have no expectation of privacy. The rule follows one proposed by the department in March 2005 and incorporates comments the agency received.

Similar policies are common in private industry but less common among agencies, said analyst John Pescatore, vice president of Internet security at Gartner. However, as agencies learn from experience — their own or other agencies’ — such measures are likely to become more widespread, he said.

“There have been various rulings about whether an employee has a reasonable expectation of privacy” when using their employers’ computers, he said. “The way industry deals with that is to make the employee sign something saying they have no expectation of privacy.”

In agencies, conflicts have arisen when officials tried to monitor traffic to ensure data was secure, he said. The explicit policy is designed to resolve such disputes.

“I would expect to see many more government agencies doing this,” Pescatore said.

Randy Erwin, assistant to the president of the National Federation of Federal Employees, said his union would not object to the notion that agency employees have no expectation of privacy. That, he said, is status quo for employees of most organizations, and requiring a signed statement is simply calling the policy to the employees’ attention.

However, he added, “We’d like to see one of the actual statements. The devil is in the details. Our concern is that they’d be giving something more away.”

The renewed attention to reporting requirements is also connected to DOE’s experience and the concern that potential victims of identity theft didn’t learn they were vulnerable until long after the incident. OMB’s guidance added urgency to the procedures mandated by the Federal Information Security Management Act of 2002 by requiring agencies to report all breaches involving personally identifiable information within one hour of discovering the breach.

Alan Paller, director of research at the SANS Institute, said he doubted that OMB or Congress could have much effect on how quickly agencies report data breaches.

“People who were going to delay the release of — or just refuse to release — information will still do that,” he said.

OMB’s reminderIn a July 12 memo, the Office of Management and Budget reminded agencies of their data breach reporting requirements under the Federal Information Security Management Act of 2002 and amended some of them.

Karen Evans, administrator of OMB’s Office of E-Government and Information Technology, issued the memo. Its major points include:

All agencies must report security incidents to the U.S. Computer Emergency Readiness Team, a federal incident response center at the Homeland Security Department.

Agencies must report all data breaches involving personally identifiable information, including those that are suspected but not proven, within one hour of discovering the breach.